Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=c_202011241552020204

Advanced configuration

You can update the following settings when HA is active, and it won't result in downtime.

Keepalive timer

The keepalive timer has the following settings:

  • The keepalive interval is the duration between two successive keepalive retransmissions.
  • The keepalive attempts are the number of attempts before determining whether a device has failed. For example, if you configure the keepalive request interval to 250 ms and keepalive attempts to eight, the device will be declared dead after 250 * 8 = 2 seconds.

Here's an example of the keepalive timer settings.

Keepalive configuration options.

Cluster ID

A cluster is a pair of devices operating in HA. Devices in the same cluster must share the same cluster ID. If you have multiple HA clusters, assign a different ID to each cluster.

Monitoring ports

If any monitored port goes down, the device leaves the cluster, and a failover occurs.

Peer administration port

The port used for administration purposes on the auxiliary device.

Using the hypervisor-assigned MAC address

When you run a virtual Sophos Firewall device, you don't need to turn on promiscuous mode on the vSwitch.

Failing back to the primary device

When a failover occurs, traffic is routed through the auxiliary device. Select this option if you want to move back automatically to the primary device when it recovers.

When you set a preferred primary device, the cluster behaves as follows:

  1. The device you're signed in to when you turn on this option becomes the preferred primary.
  2. Whenever the preferred primary device restarts or comes up again after a failover, it restarts the peer device once all services are started and synchronized. It then becomes the primary device again.

Here's an example of how this works:

Failback to primary device process.